07-24-2012 07:43 PM - edited 03-10-2019 07:20 PM
Hi guys.
Im trying to setup two cisco ise appliances. Primary and Seconadary. Everything is fine. I import the self signed cert from the secodary to primary and life is good.
But... I though if i make the secondary node PRIMARY only for MONITORING it would be better for cpu and all that. When i do that and go to DAsh Board i get an error saying untrusted cuz secondary node has a self signed cert. it wont let me see the dash board. Anyone had this problem?!?
I do not have a CA cert. maybe if i use verisign or godaddy certs this would work. We have those spare and they are cheap and those certs would help for clients not to see the continue anyway stuff and so on
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
07-24-2012 08:41 PM
Hi,
No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:49 PM
The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.
Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:57 PM
That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:41 PM
Hi,
No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:43 PM
Hi. Thnx. Im gna vpn in now. U still think
Its a good idea to have secondary node to monitoring?
What abt verisign cert?
Sent from Cisco Technical Support iPhone App
07-24-2012 08:49 PM
The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.
Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:51 PM
You sir, You are the man 100x thnx.
Thoughts on secondary ise as monitor primary?
07-24-2012 08:57 PM
That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:58 PM
Alright thanks dude I really appreciate it
Take care.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide